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WASHINGTON,  D.C.  20548 


The  Honorable  Orrin  Hatch 
United  States  Senate 

The  Honorable  Charles  Rose 
House  of  Representatives 
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On  June  5,  1978,  we  issued  a  report  entitled  "Procedures  to 
Safeguard  Social  Security  Beneficiary  Records  Can  and  Should  Be 
Improved"  (HRD-78-116) .  Our  report  identified  security  and  man¬ 
agement  weaknesses  which  could  lead  to  potential  loss,  destruction, 
abuse,  or  misuse  of  beneficiaries'  automated  and  hard  copy  records 
maintained  by  offices  using  the  Social  Security  telecommunications 
network — Social  Security  District  Offices,  State  Disability  Deter¬ 
mination  Services,  and  certain  Medicare  contractors.  We  recom¬ 
mended  that  Social  Security  correct  the  weaknesses. 

You  subsequently  asked  a  number  of  questions,  some  of  which 
were  related  to  our  June  5  report.  The  questions  addressed,  among 
other  things,  (1)  Social  Security's  actions  on  our  recommendations 
to  correct  weaknesses  in  officjs  using  the  telecommunications  net¬ 
work,  (2)  security  safeguards  over  beneficiary  data  provided  to 
State  agencies  (other  than  State  Disability  Determination  Services) 
through  the  Social  Security  data  exchange  programs  (not  the  Social 
Security  telecommunications  network),  and  (3)  several  matters  relat¬ 
ing  to  Social  Security  beneficiary  data  given  to  other  Federal  agen¬ 
cies  . 


During  a  series  of  meetings  with  your  offices,  it  was  agreed 
that  we  would  respond  to  your  request  by  (1)  answering  the  ques¬ 
tions  relating  to  Social  Security's  actions  on  our  recommendations, 
beneficiary  data  exchanged  with  other  Federal  agencies,  and  certain 
other  questions  in  one  report;  (2)  answering  questions  relating  to 
safeguards  over  beneficiary  information  given  to  State  agencies 
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through  data  exchange  programs  in  a  second  report;  and  (3)  briefing 
your  offices  on  the  results  of  our  efforts  regarding  the  other  ques¬ 
tions.  A  briefing  addressing  the  other  questions  (3)  was  held  on 
March  18,  1981.  This  report  addresses  the  questions  (2)  concerning 
State  agencies.  In  another  report,  we  are  responding  to  the  matters 
raised  by  questions  in  (1) — SSA's  actions  to  implement  our  June  1978 
recommendations  and  data  exchanged  among  Federal  agencies. 

In  accordance  with  instructions  from  your  offices  and  because 
we  had  requested  and  subsequently  received  formal  agency  comments 
(dated  June  24,  1981)  regarding  its  responsibilities  for  providing 
security  over  personal  Social  Security  beneficiary  information 
given  to  States,  we  did  not  obtain  formal  agency  comments  on  our 
draft  report.  However,  we  discussed  the  contents  of  this  report 
with  agency  officials  and  have  incorporated  their  comments  where 
appropriate . 

As  arranged  with  your  offices,  unless  you  publicly  announce 
its  contents  earlier,  no  further  distribution  of  this  report  will 
be  made  until  .30  days  from  the  date  of  the  report.  At  that  time, 
we  will  send  copies  to  the  Department  of  Health  and  Human  Services 
and  other  interested  parties  and  make  copies  available  to  others 
upon  request. 


A— y 


Gregory  J 
Director 
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REPORT  BY  THE  U.S.  GENERAL 
ACCOUNTING  OFFICE 


STATE  FIELD  OFFICES  ARE  NOT 
PROTECTING  SOCIAL  SECURITY 
BENEFICIARY  INFORMATION  FROM 
POTENTIAL  ABUSE  AND/OR  MISUSE 


DIGEST 

WHY  THE  REVIEW  WAS  MADE 


In  June  1978,  GAO  issued  a  report  which  identified 
security  weaknesses  in  protecting  beneficiary 
records  maintained  in  field  offices  under  the 
stewardship  of  the  Social  Security  Administration 
(SSA).  GAO  recommended  that  the  weaknesses  be 
corrected,  and  SSA  agreed  and  began  action  to  cor¬ 
rect  the  weaknesses.  The  report  also  noted  that 
SSA  gives  personal  beneficiary  information  to 
States  for  their  use  in  administering  federally 
financed  public  assistance  programs.  The  report 
stated  that  GAO's  work  did  not  extend  to  States, 
and  thus,  GAO  could  not  comment  on  whether  States 
provided  adequate  security  over  personal  benefi¬ 
ciary  information.  Subsequently,  several  Members 
of  Congress  requested  that  GAO  review  the  extent 
of  protection  over  beneficiary  information  given 
to  States. 

FINDINGS  AND  CONCLUSIONS 


GAO  found  that  personal  beneficiary  data  supplied  to 
States  are  generally  not  being  adequately  protected. 

For  example,  data  in  claimant  files  were  not  being 
controlled  by  State  offices.  Access  to  claimant 
files  by  employees  in  State  welfare  offices  is  un¬ 
limited  and  is  not  based  on  a  "need-to-know. "  There 
was  poor  control  over  the  files — i.e.,  log-out  and 
log-in  procedures  were  not  being  used  to  identify 
the  location  of  a  file  during  processing. 

Photocopy  machines  are  not  usually  secured  during 
nonworking  hours — an  employee  or  an  outside  intruder 
could  select  claimant  files,  copy  the  desired  in¬ 
formation  in  the  files,  and  remove  it  from  the 
office  without  anyone  noticing.  Claimant  files 
are  generally  not  secured  in  lockable  cabinets,  but 
are  stacked  around  the  offices  in  various  locations 
during  working  and  nonworking  hours. 
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Access  to  welfare  offices  is  not  restricted.  Most 
offices  are  leased  and  the  landlords  generally  re¬ 
tain  the  keys;  in  addition,  persons  providing  jani¬ 
torial  services  also  have  keys.  In  many  offices 
there  was  little  control  over  who  had  keys  to  the 
offices . 

Many  offices  did  not  have  instructions  on  how  to 
dispose  of  documents  containing  personal  informa¬ 
tion.  Managers  relied  on  the  discretion  of  em¬ 
ployees  when  disposing  of  wastepapers  containing 
sensitive  data.  Some  employees  tear  them  up  (shred) 
before  putting  them  in  wastebaskets,  while  others  do 
not.  In  addition  to  unmutilated  personal  informa¬ 
tion  being  placed  in  wastebaskets,  copies  of  compu¬ 
ter  printouts  containing  personal  information  were 
stacked  in  hallways,  on  loading  platforms,  and  in 
dumpsters  located  in  parking  lots.  In  one  State,  an 
employee  was  selling  unmutilated  computer  printouts 
for  scrap  paper  to  supplement  his  income;  office 
officials  did  not  know  where  or  to  whom  the  print¬ 
outs  were  being  sold  (see  ch.  3). 

The  Department  of  Health  and  Human  Services  had  not 
developed  a  consistent  and  comprehensive  security 
program  to  be  used  by  States  in  protecting  benefi¬ 
ciary  information  (see  ch.  4). 

RECOMMENDATIONS  TO  THE  SECRETARY 
OF  HEALTH  AND  HUMAN  SERVICES 

GAO  recommends  that  the  Secretary  formulate  and 
establish  a  firm,  consistent,  and  comprehensive 
security  program  for  protecting  data  supplied  to 
State  and  local  entities.  Also,  the  Secretary 
should,  if  deemed  necessary,  seek  the  advice  of 
the  Department  of  Justice  to  resolve  any  legal 
problems  encountered  in  formulating  and  estab¬ 
lishing  such  a  program. 
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CHAPTER  1 
INTRODUCTION 

In  June  1978,  we  issued  a  report  entitled  "Procedures  to  Safe¬ 
guard  Social  Security  Beneficiary  Records  Can  and  Should  Be  Im¬ 
proved"  (HRD-78-116) .  This  report  identified  weaknesses  in  the 
security  over  the  Social  Security  Administration  (SSA)  beneficiary 
records  maintained  in  field  offices  under  the  stewardship  of  SSA, 
a  component  agency  in  the  Department  of  Health  and  Human  Services 
(HHS) .  We  recommended  that  the  identified  weaknesses  be  corrected. 
In  August  1978,  SSA  formally  agreed  with  our  recommendations  and 
stated  that  corrective  action  was  underway. 

The  June  1978  report  noted  that  SSA  submits  personal  bene¬ 
ficiary  information  from  SSA  beneficiary  records  to  States  for 
their  use  in  administering  a  number  of  federally  financed  public 
assistance  programs.  We  stated  that  our  work  did  not  extend  to 
the  actions  of  the  States,  and  thus,  we  did  not  know  whether  States 
provided  adequate  security  for  beneficiary  information.  We  also 
stated  that  SSA  officials  told  us  that  they  too  had  not  extended 
their  review  of  data  security  to  include  State  practices. 

Subsequently,  several  Members  of  Congress  asked  a  number  of 
questions  concerning,  among  other  things,  the  privacy  and  security 
of  personal  beneficiary  information  in  records  maintained  by  SSA. 
The  questions  generally  involved  providing  information  on  (1)  what 
actions  SSA  had  taken  in  response  to  the  recommendations  in  our 
June  1978  report  and  (2)  the  protection  of  beneficiary  information 
turned  over  to  Federal  and  State  agencies.  1/ 

This  report  responds  to  questions  focusing  on  the  nature  and 
extent  of  security  safeguards  over  SSA  beneficiary  information 
given  to  State  agencies.  The  specific  questions  are: 


_1/We  agreed  with  the  requestors  that  we  would  (1)  respond  to  the 
questions  on  what  actions  SSA  had  taken  on  our  recommendations, 
the  beneficiary  data  exchanged  among  Federal  agencies,  and  addi¬ 
tional  specific  information  on  overall  beneficiary  records  in 
one  report,  (2)  determine  and  report  on  the  extent  of  security 
safeguards  over  beneficiary  information  given  to  State  agencies 
in  a  second  report,  and  (3)  brief  the  requestors  on  the  results 
of  our  work  on  the  remaining  questions.  The  briefing  took  place 
on  March  18,  1981. 
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—  "Under  the  routine  use  provisions,  C_1  / ]  what  data  on 

individuals  is  being  given  by  SSA  to  individual  State  and 
local  governments? 

— "How  is  the  data  treated  in  terms  of  security  and  privacy?" 
OBJECTIVES,  SCOPE,  AND  METHODOLOGY 


Our  objectives  were  to  answer  the  above-quoted  questions.  Our 
review  was  performed  at  (1)  the  headquarters  for  HHS,  SSA,  and  the 
Health  Care  Financing  Administration  (HCFA) ;  (2)  HHS  regional  of¬ 
fices  in  8  Federal  regions;  (3)  the  headquarters  for  welfare  agen¬ 
cies  in  14  State  governments;  and  (4)  80  State  government  field 
installations.  The  States  visited  were  California,  Connecticut, 
Colorado,  Florida,  Georgia,  Illinois,  Maryland,  Massachusetts, 
Pennsylvania,  New  Jersey,  Texas,  Utah,  Wisconsin,  and  Wyoming. 

These  States  were  located  in  8  of  the  10  Federal  regions  and  in¬ 
cluded  about  47  percent  of  the  33.4  million  people  receiving  public 
assistance  benefits.  The  selection  of  the  States  was  in  accordance 
with  the  requestors'  instructions,  and  they  were  satisfied  that  the 
coverage  was  adequate. 

We  interviewed  officials  to  identify  the  flow  of  beneficiary 
information  in  data  exchange  processes  being  used  by  SSA  and  HCFA, 
observed  security  practices,  obtained  copies  of  related  studies 
and  local  laws,  and  examined  records  concerning  security  matters  at 
each  of  these  locations.  We  evaluated  selected  technical,  adminis¬ 
trative,  and  physical  security  measures  for  both  manual  and  auto¬ 
mated  systems  to  determine  if  beneficiary  information  supplied  to 
State  and  local  entities  is  properly  safeguarded  from  potential 
abuse  and/or  misuse.  We  did  not  attempt  to  identify  and  evaluate 
every  potential  security  problem  at  each  location  visited. 


1/ Routine  use  means,  with  respect  to  the  disclosure  of  a  record, 
the  use  of  such  record  for  a  purpose  which  is  compatible  with 
the  purpose  for  which  it  was  collected. 
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CHAPTER  2 


SUBSTANTIAL  AMOUNT  OF 
PERSONAL  BENEFICIARY  INFORMATION 
IS  GIVEN  TO  STATES  AND  LOCAL  GOVERNMENTS 

SSA  provides  the  States,  which  in  turn  provide  local  govern¬ 
ments  with  a  considerable  amount  of  personal  beneficiary  informa¬ 
tion  from  its  own  files  and  the  files  SSA  maintains  for  HCFA.  The 
information  is  then  used  by  the  States  and  local  governments  to 
more  effectively  administer  a  number  of  federally  financed  or 
assisted  programs.  These  data  constitute  a  large  national  resource 
that  should  be  safeguarded  against  alteration,  destruction,  abuse, 
or  misuse.  For  example,  SSA  and  HCFA  rely  on  these  data  bases  for 
( 1)  managing  their  respective  programs  and  (2)  assuring  that  timely 
and  correct  benefit  payments  are  made  to  beneficiaries.  In  addition 
to  the  value  of  these  automated  files  to  the  Federal  Government, 
the  personal  information  within  each  of  these  files  is  sensitive 
and  valuable  to  individuals  and  their  families.  A  brief  discussion 
of  the  major  responsibilities  of  the  two  agencies  to  provide  some 
perspective  of  their  roles  in  information  management  and  exchange 
follows . 

Social  Security  Administration 

SSA  is  responsible  for  implementing  a  wide  range  of  income 
security  and  public  assistance  programs.  For  example,  SSA  is 
responsible  for  administering : 

— Retirement  and  Disability  Insurance  programs  -  to  provide 
cash  benefits  to  replace,  in  part,  earnings  that  are  lost 
to  individuals  and  families  when  earnings  stop  or  are  re¬ 
duced  because  a  worker  retires,  becomes  disabled,  or  dies. 

— Supplemental  Security  Income  (SSI)  programs  -  designed  to 
provide  cash  benefits  to  the  needy  aged,  blind,  and  disabled. 

SSA  maintains  records  for  each  person  with  covered  earnings 
who  is  assigned  a  social  security  number,  so  that  earnings  histor¬ 
ies  are  readily  available  when  it  comes  time  to  establish  a  person' s 
eligibility  and  amount  of  benefits  to  be  received.  Nearly  240  mil¬ 
lion  personal  earnings  records  are  maintained  by  SSA.  An  additional 
73  million  beneficiary  records  are  maintained  by  SSA  for  managing 
benefits  paid  on  programs  authorized  by  the  Social  Security  Act . 

Health  Care  Financing  Administration 

HCFA — another  component  of  HHS — makes  payments  on  behalf  of 
individuals  entitled  to  benefits  under  the  Medicare  program.  This 
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program  provides  partial  protection  against  the  cost  of  health  care 
for  the  aged  (65  and  over)  and  disabled.  SSA  provides  several  sup¬ 
port  functions  for  HCFA  including  maintenance  of  files  for  the  Med¬ 
icare  and  Medicaid  programs.  (Medicaid  is  a  Federal  and  State  pro¬ 
gram  that  pays  for  services  provided  to  eligible  low  income  persons. 

MILLIONS  OF  BENEFICIARY  RECORDS  ARE 
EXCHANGED  WITH  STATE  GOVERNMENTS 

Many  public  assistance  programs  financed  by  the  Federal  Govern¬ 
ment,  such  as  Aid  to  Families  With  Dependent  Children  ( AFDC ) ,  Food 
Stamps,  SSI,  assistance  for  refugees,  Medicaid,  etc.,  are  adminis¬ 
tered  by  State  governments  under  separate  arrangements  for  each 
program. 

As  discussed  below,  much  of  the  personal  beneficiary  informa¬ 
tion  collected  by  SSA  and  HCFA  to  administer  their  own  programs  is 
exchanged  with  States  to  assist  them  in  administering  federally  fi¬ 
nanced  programs.  For  example,  over  70  million  personal  beneficiary 
files  are  being  exchanged  with  State  governments  annually. 

We  have  consistently  advocated  greater  use  of  beneficiary  in¬ 
formation  exchanges  between  organizations  to  reduce  payment  errors 
and  to  enhance  the  integrity  and  effectiveness  of  public  assistance 
programs.  For  example,  on  October  16,  1979,  we  reported  that  SSA 
recognized  $257.4  million  in  payment  errors  that  were  made  during 
fiscal  year  1978  because  SSI  beneficiaries  (1)  provided  inaccurate 
or  incomplete  information  to  SSA  and  (2)  failed  to  report  changes 
in  their  circumstances.  1/  Better  exchanges  of  beneficiary  in¬ 
formation  might  have  avoided  many  of  the  overpayment  errors. 

In  another  report,  we  recommended  that  State  governments  use 
beneficiary  information  in  the  State  Data  Exchange  (SDX)  system 
for  identifying  potential  boarding  homes  for  needy  aged,  blind, 
and  disabled  persons  receiving  benefits  from  the  SSI  program. 

This  information  would  provide  States  with  a  starting  point  for 
establishing,  maintaining,  and  ensuring  enforcement  of  standards 
for  facilities,  such  as  boarding  homes,  in  which  a  significant 
number  of  SSI  recipients  reside.  2/ 

THE  SSA  DATA  EXCHANGE  PROGRAM 


SSA  provides  most  of  the  personal  beneficiary  information  in¬ 
cluded  in  its  automated  beneficiary  files  to  States  for  their  use 


1/ "Social  Security  Should  Obtain  and  Use  State  Data  to  Verify 
Benefits  For  All  Its  Programs,"  HRD-80-4,  Oct.  16,  1979. 

2/ "Identifying  Boarding  Homes  Housing  the  Needy  Aged,  Blind,  and 
Disableds  A  Major  Step  Toward  Resolving  a  National  Problem," 
HRD-80-1 7 ,  Nov.  19,  1979. 
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in  administering  public  assistance  programs.  The  types  of  informa¬ 
tion  being  disclosed  through  formal  data  exchange  processes  include 
the  name  of  the  beneficiary,  address,  home  telephone  number,  social 
security  number,  types  and  amounts  of  benefits  being  paid  by  SSA, 
beneficiary  income  data,  assets  owned  by  the  beneficiary  and  im¬ 
mediate  family  members,  and  personal  living  arrangements.  (See 
app.  Ill  for  a  list  of  personal  data  being  disclosed  to  States 
by  SSA  and  HCFA. ) 


SSA  uses  several  independent  formal  systems  for  exchanging 
personal  beneficiary  information  on  a  routine  basis  with  State 
governments.  Examples  of  these  systems  include: 


An  automated  system  which  provides  personal  beneficiary 
information  from  the  SSA  Master  Beneficiary  Records  to 
inform  State  governments  of  basic  and  changed  social  secu¬ 
rity  entitlements  for  recipients  and  applicants  under  Fed¬ 
eral  grant-in-aid  programs. 


SDX  system  -  An  automated  system  which  provides  detailed 
records  to  States  needing  data  on  beneficiaries  receiving 
SSI  payments.  The  information  for  this  system  is  obtained 
from  SSA's  Supplemental  Security  Record. 


— Federal  Parent  Locator  Service  -  A  system  which  provides 
State  welfare  agencies  with  the  last-known  address  of  absent 
parents  for  the  AFDC  title  IV-D  program.  The  sources  of 
information  for  this  system  include  most  personal  files 
maintained  by  the  Federal  departments  and  agencies — i.e., 
the  Internal  Revenue  Service,  the  Veterans  Administration, 
the  Department  of  Defense,  and  SSA. 


These  and  other  formal  beneficiary  data  exchange  systems  are  dis¬ 
cussed  in  appendix  II. 


When  States  need  additional  information  on  a  beneficiary, 
or  a  beneficiary  not  yet  included  in  a  formal  data  exchange  system, 
several  innovative  approaches  have  been  used  for  obtaining  such 
data  from  SSA's  files.  For  example,  one  State  field  office  uses 
a  State  coordinator  to  work  directly  with  SSA  district  offices 
for  obtaining  personal  beneficiary  information  not  yet  available 
from  the  routine  data  exchange  system.  Caseworkers  in  the  wel¬ 
fare  office  route  their  requests  for  Federal  data  through  the 
coordinator.  Often  personal  data  are  obtained  via  a  telephone 
inquiry  with  an  SSA  district  office  official  who  uses  the  SSA 
telecommunications  system  to  obtain  information  needed  to  re¬ 
spond  to  the  requests.  We  were  told  that  these  telephone  re¬ 
quests  are  generally  honored  by  SSA  district  offices  because  of 
the  close  working  relationships  that  are  established  through  use 
of  the  coordinator  approach.  Such  telephone  requests  are  later 
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documented  through  preparation  of  SSA  Form  1610  (Social  Security- 
Public  Assistance  Agency  Information  Request  and  Report)  which  is 
placed  in  a  beneficiary  case  folder. 


Welfare  employees  in  another  State' s  field  office  use  the 
SSA  telecommunications  system  when  obtaining  Federal  beneficiary 
data  from  SSA.  These  employees  had  copies  of  the  user  manuals 
and  mark  sensing  cards  that  are  used  for  obtaining  data  from  SSA's 
automated  beneficiary  records.  We  were  told  that  they  prepare 
coded  queries  on  mark  sensing  cards,  place  these  cards  in  the 
telecommunications  card  reader  located  at  the  local  SSA  district 
office,  and  return  to  pick  up  hard  copies  (computer  printouts) 
of  the  requested  beneficiary  information.  Accordingly,  these 
State  welfare  field  offices  have  full  and  complete  access  to  all 
the  information  in  the  SSA  automated  beneficiary  files  that  is 
accessible  by  the  SSA  district  office. 

A  SINGLE  AUTOMATED  FILE  IS  CREATED 
AND  USED  BY  SOME  STATES 


Many  States  have  established  single  automated  files  for  per¬ 
sonal  beneficiary  information  used  in  managing  public  assistance 
programs.  Some  States  have  developed  on-line  computerized  systems 
with  computer  terminals  located  in  each  State  field  office  having 
direct  access  to  State  beneficiary  files.  Other  States  use  a  lesser 
degree  of  sophistication  through  maintaining  centralized  automated 
files  on  beneficiary  data  and  distributing  a  hard  copy  to  each  State 
or  local  field  office  periodically.  In  both  approaches,  the  per¬ 
sonal  information  in  automated  files,  as  well  as  the  manual  bene¬ 
ficiary  case  folders,  are  maintained  and  stored  at  the  State  or 
local  field  offices  servicing  the  beneficiary. 

In  its  June  18,  1979,  report,  “ Administration  of  the  AFDC  Pro¬ 

gram,"  the  House  Committee  on  Government  Operations  recommended, 
among  other  things,  that  HHS  encourage  States  to  make  optimum  use 
of  computerized  information  systems  for  determining  eligibility 
and  for  managing  cases  on  public  assistance  programs.  The  Com¬ 
mittee  further  recommended  that  HHS  determine  whether  the  higher 
Federal  reimbursement  rate  for  use  of  automated  systems  in  Medi¬ 
caid  programs  had  produced  favorable  results,  and  if  so,  whether 
the  same  incentive  would  be  beneficial  for  the  AFDC  program. 

Most  State  governments  use  Federal  beneficiary  data  received 
from  SSA  and  HCFA  to  update  their  own  beneficiary  files  and/or  as 
a  reference  to  validate  personal  information  obtained  from  many 
other  sources,  including  the  beneficiary.  Although  the  benefici¬ 
ary  is  usually  the  primary  source  for  personal  information,  States 
obtain  personal  data  from  many  other  Federal  and  non-Federal 
organizations--including  SSA  and  HCFA — to  update  and/or  to  vali¬ 
date  existing  information  when  establishing  a  person's  eligibility 
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for  benefits*  The  exhibit  on  page  7  shows  the  typical  flow  of  per¬ 
sonal  beneficiary  data  at  the  State  level  including  the  various 
sources  of  data,  how  stored,  and  the  types  of  users  of  such  data. 


We  found  that  personal  information  obtained  from  organizations 
both  within  and  outside  the  Federal  Government  is  often  merged  or 
commingled  by  the  States  into  a  single  automated  data  base.  In 
such  instances,  the  source  of  the  personal  data  is  no  longer  iden¬ 
tifiable.  Information  extracted  or  generated  from  these  State  data 
bases  is  generally  filed  in  a  beneficiary' s  case  folder  and  retained 
by  the  field  office  which  has  personal  contact  with  the  beneficiary. 
According  to  State  officials,  using  automated  data  bases  is  the 
only  logical  way  of  consolidating  and  controlling  large  volumes  of 
beneficiary  data  used  in  administering  public  assistance  programs 
on  a  statewide  basis.  Moreover,  the  single  file  concept  has  been 
recognized  by  State  officials  as  a  valuable  resource  when  estab¬ 
lishing  an  applicant' s  eligibility  for  benefits  under  any  one  of 
many  interrelated  State- administered  public  assistance  programs. 


CHAPTER  3 


PERSONAL  DATA  SUPPLIED  TO  STATES 
ARE  NOT  BEING  ADEQUATELY  PROTECTED 

Our  review  in  selected  States  showed  that  the  personal  bene¬ 
ficiary  information  given  to  States  by  SSA  is  not  being  adequately 
protected.  Most  field  locations  did  not  have  written  physical 
security  procedures.  In  some  locations,  guard  services,  burglar 
alarms,  and  central  fire  alarm  systems  were  used,  while  others  did 
not  have  these  services.  It  appears  that  security  procedures  are 
installed  as  a  result  of  specific  problems  as  they  occur.  For 
example,  some  offices  found  it  necessary  to  employ  guards  during 
working  hours  because  of  large  and  sometimes  hostile  crowds  of 
claimants.  Other  offices  had  not  experienced  such  problems  and 
relied  upon  local  police  protection. 

At  the  time  of  our  fieldwork,  only  3  of  the  14  States  visited 
had  designated  security  officers  in  their  respective  field  offices, 
and  only  1  State  had  provided  any  training  for  these  officers  on 
physical  security  matters.  In  most  of  the  other  field  offices, 
the  local  manager  assumed  responsibility  for  security  as  well  as 
for  administering  all  other  office  functions.  Consequently,  and 
understandably,  most  management  emphasis  was  devoted  to  adminis¬ 
tering  the  offices,  managing  caseworkers,  and  servicing  client 
needs,  rather  than  attending  to  security  matters. 

In  most  offices,  we  observed  a  lack  of  controls  over  the  use 
and  storage  of  personal  information  in  claimant  files.  This  lack 
of  control  can  be  attributed  to  ( 1)  placing  emphasis  on  produc¬ 
tivity  rather  than  safeguarding  files  and  (2)  relying  on  other 
physical  security  measures  for  the  offices  rather  than  using 
locked  filing  cabinets  or  other  methods  for  protecting  claimant 
files . 

INFORMATION  IN  CLAIMANT  FILES  IS  NOT 
ADEQUATELY  CONTROLLED  BY  STATE  OFFICES 

We  found  that,  for  the  most  part,  employees  within  State 
welfare  offices  have  unlimited  access  to  claimant  files.  Access 
to  these  files  is  not  based  on  a  "need  to  know." 

Generally,  control  exercised  over  claimant  files  was  poor — 
i.e.,  log-out  and  log-in  procedures  are  not  being  used  by  most 
offices  to  identify  the  location  of  a  claimant' s  file  during  the 
various  stages  of  processing  in  field  offices.  According  to  offi¬ 
cials,  at  times  claimant  files  cannot  be  located  when  needed  to 
process  claims.  In  a  separate  review  of  the  AFDC  program,  we 
sampled  121  case  folders  in  one  State  and  were  unable  to  locate 
26  of  these  folders  for  use  during  our  audit.  This  situation 


is  not  uncommon  in  many  State  field  offices.  We  were  told  that, 
in  many  instances,  lost  files  show  up  at  a  later  time  after  the 
immediate  need  no  longer  exists,  and  in  some  cases,  files  must  be 
recreated  when  they  cannot  be  found  for  a  long  time  period. 

It  should  be  noted  that  adequate  control  of  case  files  is 
feasible.  Two  counties  which  administer  welfare  programs  within 
one  State  visited,  assign  cases  to  specific  caseworkers  and  use  a 
small  computer  to  keep  track  of  case  assignments  and  use  of  claim¬ 
ant  files.  These  offices  appeared  to  have  good  control  over  the 
location  of  case  folders — a  condition  that  is  not  widespread. 

Most  offices  have  photocopy  machines.  Field  office  officials 
told  us  that  these  machines  are  not  usually  secured  during  non¬ 
working  hours.  These  machines  are  generally  located  throughout 
working  areas  within  an  office  and  available  for  use  by  most  em¬ 
ployees.  Should  an  employee  or  some  outside  intruder  decide  to 
obtain  claimant  information,  copies  of  pertinent  documents  could 
be  made  and  removed  from  the  office  without  any  indication  that 
someone  had  tampered  with  a  file. 

Some  States  are  using  microfiche  and  microfilm  techniques  for 
providing  beneficiary  information  (to  be  used  as  reference  material 
when  administering  public  assistance  programs)  throughout  their 
many  field  offices.  HCFA's  central  office  also  reproduces  certain 
eligibility  information  from  Federal  beneficiary  records — e.g., 
the  Carrier  Alphabetic  State  List  data  exchange  system  described 
in  appendix  II — onto  microfiche/microfilm  monthly.  States  receive 
copies  of  these  records  pertaining  to  beneficiaries  living  within 
their  geographic  areas.  These  microfiche/microfilm  records  are 
again  reproduced  and  distributed  by  the  States  to  their  field 
offices  for  use  in  administering  public  assistance  programs.  Many 
offices  have  reader/printers  capable  of  reproducing  individual 
claimant  records  from  microf ilm/microf iche  in  hard  copy.  These 
records  can  be  interpreted  by  using  a  manual  provided  by  SSA's 
and  by  State  welfare  departments'  central  offices.  We  observed 
that  these  user  manuals  were  not  secured  and  were  generally  stored 
next  to  microfiche  readers. 

In  some  States,  field  offices  with  high  volume  caseloads  have 
more  than  one  set  of  microfilm/microfiche  files.  At  one  State 
field  office  visited,  we  observed  that  a  copy  of  the  microfiche 
files  was  stored  on  a  receptionist's  desk  for  use  in  screening 
applicants  and  beneficiary’s  problems  before  they  were  routed  to 
caseworkers  for  resolution.  The  receptionist  in  this  office  left 
these  files  unattended  during  normal  working  hours,  and  they  were 
not  locked  up  during  nonworking  hours.  Although  this  office  had 
a  policy  for  storing  this  beneficiary  information  in  a  secure  area 
when  not  in  use  during  working  and  nonworking  hours,  most  offices 
do  not  have  such  a  policy.  Thus,  these  microfiche  files  are,  for 
the  most  part,  readily  available  for  potential  abuse  or  misuse  by 
employees  as  well  as  by  intruders. 
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State  field  offices  have  generally  been  furnished  with  file 
cabinets  for  storage  of  claimant  folders.  Some  of  these  cabinets 
have  been  equipped  with  locks  and  others  have  not.  However,  in 
most  cases,  only  employee  personnel  records  and  claimant  folders 
on  “Very  Important  People"  and  on  employees  or  their  immediate 
relatives  were  stored  in  locked  cabinets  with  controlled  access. 
Other  claimant  files  were  stored  in  "unlocked"  file  cabinets,  in 
cardboard  transfer  boxes,  and  on  employee  desks  and  tabletops  (the 
pictures  on  pp.  12  and  13  illustrate  how  claimant  files  were 
stored  during  nonworking  hours  in  many  State  offices  visited). 

In  one  instance,  where  lockable  file  cabinets  were  used  to  store 
claimant  files,  we  observed  that  keys  had  been  removed  and  tape 
had  been  placed  over  the  locks  so  they  could  not  be  easily  used. 
The  local  office  official  told  us  that  tape  had  been  placed  on 
the  locks  because  the  keys  had  been  lost. 

Most  field  offices  visited  did  not  use  a  clean-desk  policy 
whereby  claimant  folders  had  to  be  returned  to  central  files  or 
stored  within  desks  during  nonworking  hours.  We  were  told  by 
local  management  officials  that  such  a  policy  was  not  used  because 
of  the  impact  on  productivity  that  would  be  experienced  if  case 
workers  were  required  to  put  claimant  files  away  at  the  end  of 
the  working  day  and  then  to  retrieve  them  the  following  day  for 
further  processing.  Management  officials  in  the  limited  number 
of  offices  that  used  a  clean-desk  policy  told  us,  however,  that 
the  use  of  such  a  policy  had  not  had  an  adverse  effect  on  the 
productivity  of  their  employees. 

PHYSICAL  SECURITY  AT  STATE  FIELD 
OFFICES  TO  PROTECT  BENEFICIARY 
INFORMATION  NEEDS  IMPROVEMENT 


The  implementation  of  physical  security  measures  is  generally 
the  responsibility  of  each  local  office  manager.  We  found  little 
evidence  that  any  of  the  field  offices  visited  had  formally  studied 
the  need  for  physical  security  measures,  or  had  developed  formal¬ 
ized  contingency  plans  to  back  up  their  operations  if  a  loss  or 
disaster  should  occur. 

Access  to  field  offices 
is  not  restricted 


Many  welfare  offices  are  located  in  space  not  owned  by  their 
respective  State  governments.  Landlords  for  such  space  generally 
retain  keys  to  the  offices.  In  one  office  visited,  we  noted  that 
a  landlord  retained  control  over  all  keys  to  the  office.  The 
field  office  was  opened  daily  by  the  landlord  before  the  start  of 
each  working  day,  and  welfare  employees  left  the  premises  at  the 
end  of  the  day  without  locking  the  doors  to  the  office.  An  hour 
or  more  elapses  each  day  between  the  time  that  employees  leave 
the  premises  and  the  time  that  maintenance  crews  arrive  to  clean 
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the  office.  Local  management  officials  at  this  office  told  us 
that  they  had  experienced  losses  of  office  supplies  and  small 
equipment  items,  but  had  not  lost  any  personal  beneficiary  infor¬ 
mation.  We  determined,  however,  that  these  local  management 
officials  would  have  no  way  of  knowing  whether  or  not  personal 
information  had  been  photocopied  or  extracted  from  claimant  files 
by  intruders  and  removed  from  the  office  for  other  uses.  Jani¬ 
torial  services  in  many  other  offices  also  have  keys  to  provide 
access  to  the  offices  during  nonworking  hours. 

Most  of  the  local  field  offices  visited  use  receptionists 
and  waiting  rooms  as  their  method  of  controlling  visitors.  In 
several  offices,  however,  side  and  rear  entrances  were  left  un¬ 
locked  and  unguarded  during  working  hours.  We  observed  people 
entering  these  doors — in  lieu  of  the  main  entrance — and  wandering 
throughout  the  office.  In  one  office,  we  entered  by  an  unlocked 
side  entrance  at  lunch  time  and  could  find  no  State  employees  in 
the  entire  wing  of  the  building  to  observe  or  challenge  our 
entrance. 

Security  background  checks  are  not 
done  for  field  office  employees 

Security  background  checks  on  employees  are  not  normally  made 
by  field  offices  or  oy  State  welfare  departments.  Many  potential 
employees  are  hired  to  work  in  State  welfare  departments  and  field 
offices  based  on  interviews  and  on  limited  followup  on  prior  em¬ 
ployment  references  shown  on  employees’  application  forms.  This 
approach  may  not  always  assure  an  adequate  degree  of  integrity  of 
potential  employees  who  will  be  working  with  personal  and  sensitive 
information. 

Unlimited  use  of  photocopying  equipment 

Photocopying  equipment  was  mainly  located  centrally  within 
State  welfare  field  offices  for  easy  access  by  most  office  em¬ 
ployees.  In  10  of  the  14  States  visited,  employees  had  un¬ 
restricted  access  to  and  use  of  photocopying  equipment  for  their 
day-to-day  activities. 

Field  office  employees  use  this  equipment  to  photocopy  per¬ 
sonal  information  provided  by  clients  as  evidence  when  applying 
for  or  validating  a  continuing  need  for  public  assistance  bene¬ 
fits.  Often  extra  copies  of  documents  are  made  and  not  used  by 
caseworkers.  During  a  tour  of  one  field  office,  we  took  some 
photocopies  from  a  trash  can  located  next  to  the  photocopying 
equipment  which  would  have  been  emptied  into  a  dumpster  for  city 
trash  collection  at  the  end  of  the  workday.  These  documents 
included:  (1)  a  photocopy  of  five  social  security  cards, 

(2)  documents  showing  a  complete  profile  of  the  beneficiary  and 
the  benefits  being  received,  (3)  a  "Report  of  Confidential  Social 
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Security  Benefit  Information,"  (4)  an  electric  bill,  (5)  a  rent 
receipt,  and  (6)  a  food  stamp  worksheet  which  sets  forth  earnings 
and  demonstrated  financial  need  for  food  stamps.  Similar  observa¬ 
tions  were  also  made  at  other  field  offices  visited  during  our 
review . 

Disposal  of  beneficiary  data 
is  not  always  safeguarded 

Instructions  concerning  disposal  of  documents  containing  per¬ 
sonal  beneficiary  information  have  not  been  issued  by  many  local 
welfare  field  offices.  Supervisors  and  managers  rely  primarily  on 
the  discretion  of  individual  employees  when  disposing  of  wastepaper 
containing  sensitive  personal  information.  Employees  who  are  aware 
of  documents  containing  this  type  of  information  generally  tear 
them  up  before  throwing  them  away;  however,  others  do  not  do  this. 
Most  offices  visited  had  trash  disposal  services  that  picked  up 
trash  periodically.  Some  office  managers  were  not  aware  of  the 
method  of  disposal  (incineration,  landfills,  dumps,  etc.)  once  the 
trash  was  removed  from  the  office. 

In  addition  to  the  unmutilated  documents  containing  personal 
information  observed  in  wastebaskets,  we  saw  copies  of  computer 
printouts  containing  personal  information  stacked  in  hallways 
outside  offices,  on  loading  platforms,  and  in  dumpsters  located 
in  parking  lots.  In  one  office,  we  were  told  that  an  employee 
had  been  given  permission  to  sell  computer  printouts  for  scrap 
paper  to  supplement  his  personal  income.  These  printouts  were 
not  mutilated  before  giving  them  to  the  employee  before  sale. 

Office  officials  did  not  know  where  or  to  whom  the  computer  print¬ 
outs  were  being  sold. 

The  disposition  of  aged  inactive  beneficiary  folders  varied 
among  State  welfare  departments  and  offices  visited.  For  example, 
some  offices  shipped  the  folders  to  permanent  storage  centers 
within  their  respective  States,  while  others  incinerated  or  buried 
them.  In  one  State,  officials  witnessed  each  of  these  processes. 
However,  problems  can  arise  in  handling  these  folders.  For  example, 
as  reported  in  a  newspaper,  hundreds  of  client  records  were  ac¬ 
cidentally  placed  on  a  sidewalk  outside  a  local  welfare  field 
office,  apparently  by  the  maintenance  staff.  It  was  not  until  a 
reporter  inquired  during  the  late  afternoon  as  to  why  these  case 
folders  had  been  left  out  for  public  inspection  that  they  were 
taken  back  into  the  local  welfare  office.  Most  of  the  records 
involved  dated  back  less  than  1  year. 
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CHAPTER  4 


HHS  NEEDS  TO  DEVELOP  A  COMPREHENSIVE 
PROGRAM  FOR  PROTECTING  PERSONAL  DATA 
SUPPLIED  TO  STATE  AND  LOCAL  ENTITIES 


Despite  an  extensive  Federal  role  in  maintaining  and  supplying 
personal  beneficiary  data  to  States,  there  apparently  has  not  been 
a  corresponding  amount  of  effort  devoted  to  defining  the  nature 
and  extent  of  statutory  protections  over  such  data  when  provided 
to  organizations  outside  the  Federal  community.  Our  review  showed 
that  HHS  has  not  developed  a  consistent  and  comprehensive  security 
program  to  be  used  by  States  in  protecting  beneficiary  data. 

There  has  been  much  congressional  and  public  concern  over  the 
potential  for  abuse  or  misuse  of  personal  information  being  proc¬ 
essed  and  stored  in  large  computer-based  systems  by  Federal,  State, 
and  local  governments.  For  example,  a  national  data  center  was 
proposed  during  the  mid-1960s  when  substantial  growth  occurred  in 
automatic  data  processing  technologies  for  managing  masses  of  data. 
This  proposal  was  not  well  received  by  the  Congress  or  the  public 
because  proper  technology  had  not  been  developed  to  assure  ade¬ 
quate  privacy  for  personal  information  being  processed  on  large- 
scale  centralized  computer  systems. 

In  1974,  the  General  Services  Administration  began  working 
with  the  U.S.  Department  of  Agriculture  on  a  joint  computer  pro¬ 
curement  program  to  centralize  and  consolidate  Federal  data  proc¬ 
essing  operations.  The  concept  proposed  included  the  use  of 
separate  automated  data  bases  by  Federal  departments  and  agencies 
that  could  communicate  with  each  other  electronically  through 
interfacing  large-scale  computer  systems.  Opposition  to  use  of 
central  data  banks  or  an  electronic  network  of  data  banks  contain¬ 
ing  personal  information  became  extensive.  The  proposed  project 
was  then  scaled  down  considerably  so  that  it  was  no  longer  viewed 
as  a  Government-wide  concept. 

The  fate  of  these  two  proposals  demonstrates  that  strong  con¬ 
fidentiality  guarantees  are  essential  to  the  basic  design  of  any 
successful  Federal  information  network.  In  its  July  1977  report, 
the  Privacy  Protection  Study  Commission  recommended  that  the  Fed¬ 
eral  Government  defer  any  action  to  foster  further  development  of 
central  data  bases  for  Government-wide  use  until  technology  could 
be  developed  to  assure  proper  security  and  confidentiality  for 
personal  information.  As  an  alternative  to  the  use  of  a  single 
data  base  concept,  such  agencies  as  SSA  and  HCFA  have  opted  to 
exchange  personal  beneficiary  data  with  State  governments  for 
their  use  in  carrying  out  agency  missions  and  in  achieving  a 
greater  degree  of  effectiveness  in  public  assistance  programs. 
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From  July  1979  through  February  1980,  SSA  conducted  a  risk 
assessment  on  SSA  data  being  provided  to  States  and  local  entities. 
The  assessment  presented  the  following  questions  and  issues  to  SSA 
for  resolution  and  clarification: 

— Does  SSA  data  legally  become  State  data  once  received  by 
the  State,  at  any  point  in  their  processes,  or  when  com¬ 
bined  with  data  collected  by  the  State?  If  so,  at  what 
point  do  the  data  become  State  data? 

— If  it  is  determined  that  SSA  data  legally  become  State 
data  at  some  point  in  time,  at  that  time,  does  SSA  con¬ 
tinue  to  have  any  responsibility  for  the  confidentiality 
and  privacy  of  the  data? 

— Does  SSA  have  the  legal  authority  to  perform  a  complete 
risk  assessment  of  all  State  processes  that  use  SSA  data? 
What  are  the  limitations,  if  any,  of  such  risk  assessments? 

— If  SSA  remains  responsible  for  the  security  and  confiden¬ 
tiality  of  data  after  receipt  by  the  State,  can  SSA  require 
State  and  local  agencies  to  implement  specified  safeguards 
to  protect  the  data?  Can  sanctions  be  imposed  on  State 
and  local  agencies  for  noncompliance? 

In  view  of  our  observations  and  the  issues  identified  by  the 
SSA  study,  we  wrote  to  HHS  in  April  1980  and  posed  a  number  of 
questions  focusing  on  data  exchanges  and  privacy  protection.  Our 
purpose  was  to  elicit  a  statement  of  the  role,  responsibilities, 
and  policy  of  a  major  Federal  repository  of  personal  data.  On 
June  24,  1981,  HHS  responded  to  our  questions.  (See  app.  I.) 

HHS1  responses  to  these  questions  indicate  that  there  is  a 
lack  of  a  consistent  and  comprehensive  security  program  for  the 
protection  of  data  given  to  States.  We  believe  this  condition 
may  exist  because  current  legislation  may  not  provide  sufficiently 
detailed  guidance  for  protecting  beneficiary  records  at  State  and 
local  levels.  Extracts  from  our  April  1980  questions  and  HHS' 

June  1981  responses  follow: 

— GAO  Question:  How  much  information  disclosed  to  States 
or  private  contractors  do  you  consider  to  be  tax  return 
information  as  defined  in  26  U.S.C.  6103? 

Department  Response:  "Title  26  U.S.C.  6103 — the  Tax  Reform 
Act  of  1976 — defines  'return  information*  in  terms  of  data 
filed  with,  and  prepared  or  collected  by  the  Secretary  of 
the  Treasury  (Internal  Revenue  Service).  Many  of  the  items 
of  information  identified  in  the  Act  as  'return  information' 
are,  and  always  have  been,  normally  obtained  by  the  Social 
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Security  Administration  (SSA)  directly  from  the  individual 
members  of  the  public  it  and  the  Health  Care  Financing 
Administration  ( HCFA )  serve,  or  from  other  1  non-return' 
sources— e.g. ,  from  his  employer  at  the  individual's  re¬ 
quest.  We  do  not  consider  such  information  to  be  'return 
information'  within  the  Tax  Reform  Act  definition.  Further¬ 
more,  it  appears  that  a  document  which  would  be  a  'return' 
if  obtained  from  IRS  records  does  not  have  that  character 
when  obtained  directly  from  another  source— e.g. ,  the  tax¬ 
payer's  own  retained  copy  of  a  self-employment  income 
return  he  filed  with  Internal  Revenue  which  is  provided 
to  us  by  the  taxpayer  for  a  non-tax  purpose. 


"It  is  arguable  that  earned  income  data  transmitted  by 
the  State  Data  Exchange  (SDX)  system  under  some  circum¬ 
stances  derives  from  return  information  that  is  sometimes 
found  in  the  SSI  claims  folder.  IRS  has  not  yet  addressed 
the  issue,  insofar  as  we  know." 

GAO  Observation:  We  think  adequate  time  has  passed  to 
allow  HHS  to  obtain  the  views  of  IRS  [the  Internal  Revenue 
Service]  and  to  develop  a  policy  on  the  treatment  of  SDX 
or  other  SSA  system  information  embracing  tax  return  data. 

-GAO  Question:  Does  Section  1106  (Social  Security  Act) 
authorize  you  to  limit  disclosures  or  otherwise  protect 
beneficiary  information  once  it  has  been  exchanged  with 
States  and  private  contractors? 

Department  Response :  "Section  1106  provides  that  no  dis¬ 
closure  of  any  information  obtained  from  the  Secretary  or 
any  officer  or  employee  of  the  Department  by  any  person 
shall  be  made  except  as  the  Secretary  prescribes  by  regu¬ 
lations.  For  decades  regulations  issued  pursuant  to  this 
statutory  authority — notably,  Regulation  No.  1  under  the 
Social  Security  Act — safeguarded  the  confidentiality  of 
data  thus  disclosed.  We  believe  that  the  disclosure  limi¬ 
tation  authority  under  Section  1106  was  severely  curtailed 
by  the  March  1977  amendment  of  the  Freedom  of  Information 
Act.  See  the  recent  revision  of  Regulation  No.  1,  pub¬ 
lished  at  45  Fed.  Reg.  74906  -  74908  (November  13,  1980)." 

GAO  Observation:  We  think  HHS  has  had  sufficient  time  to 
reconcile  Section  1106  with  the  latest  amendment  to  the 
Freedom  of  Information  Act. 

-GAO  Question:  What  specific  provisions  of  the  Privacy 
Act  authorize  you  to  improve  security  requirements  on 
routine  disclosures  and  redisclosures? 
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Department  Response;  "The  Privacy  Act  (5  U.S.C.  522(e)(10) 
requires  all  Federal  agencies  to  establish  appropriate 
safeguards.  However,  our  understanding  is  that,  with  one 
exception,  these  provisions  cannot  be  imposed  on  entities 
which  are  not  Federal  agencies.  Under  5  U.S.C.  552a(m) 

HHS  must  impose  Privacy  Act  requirements  on  certain  State 
agencies  and  contractors.  For  example,  the  agreement  with 
Medicare  contractors  (carriers),  contracts  for  research  and 
statistical  work,  and  agreements  with  States  covering  the 
Disability  Determination  Service  (DDS)  function  impose 
Privacy  Act  requirements  on  State  agencies  and  contractors." 

GAO  Observation:  HHS,  in  conjunction  with  advice  obtained, 
if  necessary,  from  the  Department  of  Justice,  should  resolve 
whether  the  Privacy  Act  "reaches"  federally  obtained  data 
supplied  to  non-Federal  agencies. 

— GAO  Question:  In  your  view,  does  the  source  of  personal 
beneficiary  information  have  any  relationship  to  the  extent 
that  such  information  should  be  safeguarded  from  potential 
abuse  or  misuse? 

Department  Response:  "Clearly,  the  source  of  personal 
beneficiary  information  does  determine  the  applicability 
of  Tax  Reform  Act  safeguards — see  discussion  of  the  first 
question.  What  should  be  the  relationship  of  source  to 
safeguarding — while  a  matter  for  conjecture — probably 
depends  upon  (1)  the  linkage  between  the  source  and  the 
probable  sensitivity  of  the  data  and/or  (2)  the  original 
provider's  reasonable  expectations  as  to  confidential 
treatment  of  the  original  information  provided  the  col¬ 
lecting  source.  While  source,  thus,  provides  a  clue  to 
the  extent  information  should  be  safeguarded,  the  type  or 
nature — i.e.,  sensitivity — bears  a  more  direct  relation¬ 
ship.  For  example,  SSA  considers  medical  evidence  to  be 
very  sensitive  and  provides  elaborate  safeguards  against 
its  unwarranted  release,  but  the  source  may  be  a  medical 
practitioner,  but  because  disclosure  of  information  in 
medical  record  can  be  embarrassing  or  even  harmful  to  the 
individual . " 

GAO  Observation:  Department  response  self-explanatory. 

No  GAO  comment  necessary. 

— GAO  Question:  Do  you  believe  there  is  a  need  for  legisla¬ 
tion  that  would  provide  a  stronger  basis  to  safeguard  con¬ 
fidential  personal  beneficiary  information  being  disclosed 
to  States  and  private  contractors?  (Note:  We  recognize 
that  Section  411  of  the  Social  Security  Act  does  already 
provide  specific  bases  for  confidentiality  provisions  on 
data  exchanges  specifically  for  the  AFDC  program. ) 
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Department  Response:  " We  anticipate  additional  and  modi¬ 
fied  legislation  in  this  area  of  strong  public  and  policy 
interest  to  continue  to  be  developed ,  debated,  and  enacted 
as  the  'information  revolution'  and  the  use  of  computers 
continue  to  evolve.  Perhaps  the  need  at  present  is  for 
greater  uniformity  of  safeguarding  requirements  and  reduc¬ 
tion  of  the  complexity  in  administering  the  various  appli¬ 
cable  statutes." 

GAO  Observation:  The  HHS  response  in  our  view  underscores 
the  problem  as  we  perceive  it — the  need  for  'greater 
uniformity'  of  data  protection  developed  in  the  context 
of  a  consistent  and  comprehensive  HHS  security  program. 

CONCLUSIONS 


SSA  gives  millions  of  personal  beneficiary  records  to  States 
to  assist  them  in  carrying  out  their  responsibilities  in  adminis¬ 
tering  federally  financed  public  assistance  programs. 

These  personal  beneficiary  records  are  not  being  adequately 
protected  by  the  States  in  part  because  HHS  has  not  formulated  a 
consistent  and  comprehensive  security  program  for  the  protection 
of  data  given  to  States. 

While  we  are  sympathetic  to  the  magnitude  and  complexity 
of  the  problem  facing  HHS  regarding  data  exchanges  of  personal 
information,  we  nevertheless  believe  that  HHS  should  have,  by 
this  time,  more  aggressively  attempted  to  obtain  advice  (both 
legal  and  policy)  on  the  nature  and  extent  of  protection  needed 
over  such  information  at  State  and  local  levels.  In  this  regard, 
as  of  September  1981,  the  issues  and  questions  raised  by  £5?.*'  s 
risk  assessment  study  had  not  yet  been  resolved. 

RECOMMENDATIONS  TO  THE  SECRETARY  OF  HHS 


The  Secretary  should  formulate  and  establish  a  firm,  con¬ 
sistent,  and  comprehensive  security  program  for  providing  ade¬ 
quate  protection  of  data  shared  with  States  and  local  entities. 
Also,  the  Secretary  should,  if  deemed  necessary,  seek  the  advice 
of  the  Department  of  Justice  to  resolve  any  legal  problems  en¬ 
countered  in  formulating  and  establishing  such  a  program. 
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THE  COMMISSIONER  OF  SOCIAL  SECURITY 
BALTIMORE.  MARYLAND  21239 


June  24,  1981 


Mr.  Morton  Henig 
Senior  Associate  Director 
Human  Resources  Division 
U.S.  General  Accounting  Office 
Washington,  D.C.  20548 


Dear  Mr.  Henig: 

Enclosed  is  our  response  to  your  inquiry  regarding  safeguards  for 
HHS  beneficiary  information  in  the  hands  of  States  and  contractors* 
1  regret  the  delay  In  responding  to  you.  However,  I  understand 
that  the  information  in  the  response  has  been  discussed  in  detail 
with  members  of  your  staff* 


As  our  response  notes,  safeguard  ng  the  confidentiality  of  records 
has  been  a  traditional  concern  ot  this  Department.  Now,  applying 
the  Tax  Reform  Act,  the  Privacy  Act  and  other  legislation  of  the 
last  few  years  to  our  programs  is  a  major  effort  that  is  continuing, 
as  you  will  note  from  our  replies  to  your  individual  guesti^ns. 


Sine 

/; 


c/ely/ 

A 


/ 


_  Us 

Jbhn  A.  Svahn 
Commissioner  of 


\J 


Enc losure 


l 


Social  Security 


ecjrr  ity 
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RESPONSE  OF  THE  DEPARTMENT  OF  HEALTH  AND  HUMAN  SERVICES  TO  GENERAL 
ACCOUNTING  OFFICE  INQUIRY  REGARDING  SAFEGUARDS  FOR  BENEFICIARY 
INFORMATION  IN  THE  HANDS  OF  STATES  AND  CONTRACTORS 


General 


This  Department  certainly  shares  GAO's  concern  for  good  security 
practices  covering  personal  data  wherever  the  operations  of  HHS 
programs  require  that  the  data  be  processed  or  maintained.  For  us 
this  Is  not,  of  course,  a  concern  of  recent  origin.  While 
applying  the  Tax  Reform  Act,  the  Privacy  Act  and  other  legislation 
of  the  last  few  years  to  our  programs  has  been  a  major  recent 
effort — and  not  all  issues  have  been  resolved,  as  you  will  note 
from  our  responses  to  the  individual  questions — safeguarding  the 
confidentiality  of  records  has  been  a  traditional  concern.  In  the 
social  security  programs,  for  example,  regulatory  and  procedural 
safeguards  of  personal  data  have  been  established  and  administered 
for  40  years. 

Implementing  arrangements  for  recent  legislation  dealing  with 
disclosure  of  earnings  information  to  the  States  for  Child  Support 
Enforcement  and  Food  Stamp  program  purposes  under  Public  Law 
(P.L. )  96-265  (June  2,  1980),  section  408,  and  P.L.  96-249  (May 

26,  1980),  section  127(a),  are  still  under  development  in  ( 

consultation  with  the  Internal  Revenue  Service  and  are  not  treated 
by  our  response. 

Before  commenting  on  GAO's  questions,  the  following  clarification 
or  explanation  of  various  systems  discussed  is  perhaps  in  order. 

— Beneficiary  and  Earnings  Data  Exchange  (BENDEX)  Systems  -  An 
automated  system  which  provides  personal  beneficiary  information 
from  the  SSA  Master  Beneficiary  Records  to  Inform  State 
governments  on  basic  and  changed  social  security  and  Medicare 
entitlements  for  recipients  or  applicants  under  income 
maintenance  or  health  maintenance  programs.  Earnings  data  on 
applicants  for  Aid  to  Families  with  Dependent  Children  (AFOC)  is 
also  being  supplied  through  BENDEX  from  the  Earnings  Record  and 
Self-Employment  Income  system  of  records. 

— State  Data  Exchange  (SDX)  System  -  An  automated  system  which 
provides  detailed  records  to  States  needing  data  on 
beneficiaries  receiving  Supplemental  Security  Income  (SSI) 
payments.  The  information  for  this  system  is  derived  from  SSA's 
Supplemental  Security  Record.  In  some  instances,  this 
information  is  sent  by  the  State  immediately  to  private 
contractors  administering  the  States'  healtn  maintenance 
programs  after  being  forwarded  to  the  respective  State 
governments. 

— SSI/Pinanclal  Accounting  Exchange  (FAX)  System  -  An  automated 
system  developed  by  SSA  to  provide  case-by-case  accounting  data 
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to  those  States  which  have  agreed  to  Federal  administration  of 
SSI  payments  and  have  requested  such  detailed  data.  The  payment 
data  in  this  system  is  obtained  from  the  Supplemental  Security 
Record. 

— State  Buy-In  System  -  State  buy-in  records  are  maintained  on  the 
Third  Party  Master  (TPM)  System.  This  is  an  automated  system 
maintained  by  HCFA  (not  SSA  as  indicated  in  the  letter)  to 
control  the  Supplementary  Medical  Insurance  (SMI  or  Part  B) 
enrolling,  accounting,  and  billing  of  people  who  are  (or  were) 
in  State  buy-in  status,  i.e.,  the  State  Government  pays  SMI 
premiums  for  needy  individuals  enrolled  in  Medicaid  and  other 
State  assistance  programs.  Sources  of  Information  in  the  system 
include:  (1)  State  agency  programs,  (2)  the  SSA  MBR,  (3)  SSA 

SSI  record,  and  (4)  the  HCFA  Medicare  Health  Insurance  Master 
Record  (not  maintained  by  SSA  for  HCFA  as  indicated  in  the 
letter) . 

The  TPM  record  uses  the  beneficiary  name  and  claim  number  (not 
necessarily  the  individual's  social  security  number).  None  of 
the  sources  is  IRS;  and  no  earnings  or  income  information  is 
used  or  exchanged  with  the  States. 

— Inter jurisdictional  Data  Exchange  (IPEX)  System  -  This  is  a 
generalized  matching  system  to  compare  recipient  allegations  of 
earned  or  unearned  income  in  State  AFDC  files  with  other  sources 
of  earned  or  unearned  income. 

— Interim  Assistance  Reimbursement  Process  (IARP)  -  A  data 
exchange  process  whereby  S^A  notifies  State  governments  of 
adjudicated  beneficiary  applications  for  SSI  payments.  The 
States  or  applicant  notify  SSA  of  the  application  for  State 
assistance  and  the  States  make  benefit  payments  to  new 
applicants  until  their  SSI  applications  have  been  approved 
or  denied  by  SSA.  A  computerized  turnaround  (SSA  Form  8125)  is 
routinely  prepared  by  SSA  to  apprise  the  States  on  the 
adjudication  of  an  application;  and  the  States  use  this  same 
document  to  advise  SSA  on  the  benefit  payments  made  to  the 
beneficiary. 

— Carrier  Alphabetic  State  Tape  (CAST)  -  The  CAST  file  is  an 
alphabetic  16MM  roll  microfilm  and  105MM  microfiche  listing  of 
health  Insurance  beneficiaries  currently  existing  on  the  health 
insurance  master  file.  The  programming  process  segregates  and 
lists  all  beneficiaries  for  a  State  and/or  other  entity  in 
strict  alphabetical  sequence.  Semiannually,  CAST  files  are 
produced  for  each  of  the  50  States,  the  District  of  Columbia, 
Puerto  Rico,  Guam,  the  Virgin  Islands,  American  Samoa,  Canada, 
and  Mexico.  The  purpose  of  the  file  is  to  assist  Medicare 
contractors  in  resolving  beneficiary  identification  problems 
encountered  in  processing  health  insurance  claims  and  in 
maintaining  the  State  buy-in  rolls. 
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— Beneficiary  State  Tape  (BEST)  System  -  The  BEST  is  a  magnetic 
tape  file  identical  in  content  to  the  Carrier  Alphabetic  State 
Tape  (CAST)  file  discussed  above.  BEST  is  prepared  by 
reformatting  the  tape  file  from  which  CAST  is  created.  The  BEST 
file  is  prepared  semiannually.  Unlike  CAST,  the  BEST  file  is 
distributed  to  a  somewhat  more  restricted  group  of  about  52 
intermediaries,  carriers,  and  State  welfare  agencies. 

—Form  SSA-1610  System  (Social  Security  -  Public  Assistance  Agency 
Information  Request  and  Report)  -  The  form  SSA-1610  Is  not  a 
form  designed  specifically  for  the  Medicare  Program.  The  blank 
forms  are  retained  by  State  and  local  welfare  offices  who  enter 
the  name  and  social  security  number  of  a  welfare  claimant  and 
forward  to  the  servicing  social  security  office  to  obtain 
information.  This  information  is  required  by  welfare  in  order 
to  determine  the  welfare  client's  correct  grant  amount.  The 
purpose  of  the  form  is  to  provide  a  uniform  means  of  exchanging 
social  security.  Medicare,  and  public  assistance  information 
between  State  governments  and  SSA  offices  in  situations  which 
cannot  be  resolved  by  contacting  the  beneficiary  or  by  using  the 
BENDEX  system. 

— Advanced  Records  System  (ARS)  -  The  States  do  not  have  access  to 
the  ARS  system  in  the  Medicare  program.  At  the  present  time, 
several— but  not  most — Medicare  contractors  are  tied  into  the 
ARS  system  to  enable  them  to  query  the  Health  Insurance  Master 
Record  for  purposes  of  processing  Medicare  claims.  There  is  no 
capability  for  these  contractors  to  access  the  SSA  systems  for 
non-Medicare  purposes. 


GAO  Question  1:  How  much  information  disclosed  to  States  or 
private  contractors  do  you  consider  to  be  tax  return  information 
as  defined  in  26  U.S.C.  6103? 

Department  Response :  Title  26  U.S.C.  6103 — the  Tax  Reform  Act  of 
1976  — defines  ‘return  Information"  in  terms  of  data  filed  with, 
and  prepared  or  collected  by  the  Secretary  of  the  Treasury 
(Internal  Revenue  Service).  Many  of  the  items  of  information 
identified  in  the  Act  as  "return  information"  are,  and  always  have 
been,  normally  obtained  by  the  Social  Security  Administration 
(SSA)  directly  from  the  individual  members  of  the  public  it  and 
the  Health  Care  Financing  Administration  (HCFA)  serve,  or  from 
other  "non-return"  sources — e.g.,  from  his  employer  at  the 
individual's  request.  We  do  not  consider  such  information  to  be 
"return  information”  within  the  Tax  Reform  Act  definition. 
Furthermore,  it  appears  that  a  document  which  would  be  a  "return" 
if  obtained  from  IRS  records  does  not  have  that  character  when 
obtained  directly  from  another  source — e.g.,  the  taxpayer's  own 
retained  copy  of  a  self-employment  income  return  he  filed  with 
Internal  Revenue  which  is  provided  to  us  by  the  taxpayer  for  a 
non-tax  purpose. 
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Earnings  information — i.e.,  wage  reports  including  wages, 
employer's  name,  address  and  employer  Identification  number,  and 
self-employment  Income  reports — and  personal  residence/mailing 
address  information  are  return  Information  and  subject  to  Tax 
Reform  Act  safeguards  when  obtained  by  SSA  through  the  combined 
annual  wage  reporting  process,  or  when  obtained  directly  or 
indirectly  from  IRS.  The  following  types  of  earnings  information 
and  address  information  provided  to  States  and  contractors  in  the 
course  of  HHS  program  operations  could  be  defined  as  "return 
information”  under  the  Tax  Reform  Act: 

a.  Earnings  information  on  specific  AFDC  applicants/recipients 
provided  by  SSA  to  States  through  the  BENDEX  System.  Section 
411  of  the  Social  Security  Act  provides  for  this  disclosure. 

b.  Information  on  the  addresses  of  employers  of  absent  parents 
from  the  SSA  Earnings  Record  and  Self-Employment  Income  System 
provided  to  the  Office  of  Child  Support  Enforcement's  Federal 
Parent  Locator  Service  (PLS)  and  by  the  Federal  PLS  to  State 
PLSs.  Tax  return  information  supplied  by  IRS  is  encrypted  at 
IRS's  insistence  while  in  the  hands  of  the  contractor  that 
operates  the  Federal  PLS  and  is  not  identifiable  by  the 
contractor.  The  disclosure  to  States  is  pursuant  to  Section 
453  of  the  Social  Security  Act. 

c.  Work  history  information  on  individual  title  II  and  title  XVI 
disability  applicants/recipients  is  disclosed  to  State 
disability  determination  services  (DDSs)  that  make 
determinations  with  respect  to  the  disability  of  such 
individuals.  No  ADP  system  is  involved.  Claims  folders  sent 
to  the  DOS  may  contain  work  history  compiled  by  SSA  from  the 
Earnings  Reference  File  (ERF) .  The  relevant  documentation 
stays  in  the  folder  at  all  times  and  is  returned  to  SSA  when 
the  folder  is  returned,  after  the  disability  decision  has  been 
made.  IRS  has  considered  this  disclosure  and  has  expressed 
the  opinion  that  it  is  permlssable  under  the  Tax  Reform  Act. 

d.  It  is  arguable  that  earned  income  data  transmitted  by  the 
State  Data  Exchange  (SDX)  system  under  some  circumstances 
derives  from  return  information  that  is  sometimes  found  in  the 
SSI  claims  folder.  IRS  has  not  yet  addressed  the  issue, 
insofar  as  we  know. 

GAO  Question  2:  To  what  extent  do  you  consider  yourself  bound  to 
preserve  the  confidentiality  of  any  information  disclosed  to 
States  and  private  contractors  that  is  considered  tax  return 
Information? 

Department  Response:  Of  course  we  are  bound  by  existing  laws 
including  the  Tax  Reform  Act.  We  are  also  bound  by  Section  1106 
of  the  Social  Security  Act  and  our  own  regulations  which  require 
SSA  and  HCFA  data  to  be  kept  confidential  and  disclosed  only  as 
prescribed  by  regulations. 
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GAO  Question  3;  To  what  extent  do  you  document  and  control  State 
agency  or  private  contractor  practices  concerning  safeguards  and 
redisclosures  of  any  tax  return  information  as  prescribed  by  26 
U.S.C.  6103  (p) (3)  and  (p)(4)7 

Department  Response:  Except  for  disclosure  to  the  contractor 
operating  the  Federal  PLS  and  the  contractor  Involved  in  the 
annual  wage  reporting  process,  tax  return  information  is  not 
provided  by  the  Department  to  private  contractors.  Documentation 
and  control  of  State  agency  practices  concerning  safeguards  and 
redisclosures — including  some  redisclosures  to  private  contractors 
by  the  States — of  tax  return  Information  are  incorporated  into 
overall  provisions  and  practices  for  monitoring  and  ensuring  State 
agency  compliance  with  the  terms  of  agreements  and 
regulations — incorporated  by  reference  in  agreements  and  manual 
issuances— issued  pursuant  to  various  provisions  of  the  Social 
Security  Act  listed  in  response  to  Question  7  below. 

GAO  Question  4:  May  Federal  tax  information,  with  personal 
Identifiers,  be  disclosed  to  outside  contractors  engaged  by  SSA  to 
carry  out  its  program  responsibilities?  Or,  must  it  be  disclosed 
only  in  a  form  which  cannot  be  associated  with  or  otherwise 
identify,  directly  and  Indirectly,  specific  taxpayers?  (See  IRS 
letter  regarding  "Use  and  Disclosure  of  Federal  Tax  Information  by 
SSA"  (SSA  reference  SRR-5) ,  dated  February  12,  1$80,  which  states 
that  only  unidentifiable  personal  taxpayer  information  may  be 
disclosed  to  those  outside  the  Federal  government.) 

Department  Response:  According  to  an  opinion  provided  by  the 
Internal  Revenue  Service,  return  information  with  personal 
identifiers  may  not  be  disclosed  to  outside  contractors,  with  the 
exception  of  processing  the  annual  wage  reports  noted  in  response 
to  Question  3.  Therefore,  as  noted  above,  SSA  does  not  disclose 
Federal  tax  information  with  taxpayer  identifiers  directly  to 
outside  contractors  engaged  to  carry  out  its  program 
responsibilities.  The  only  disclosures  are  to  States,  as 
described  above.  Unless  the  particular  disclosure  is  approved  by 
IRS,  information  with  taxpayers'  identities  removed  is  not 
released  to  outside  contractors. 

GAO  Question  5:  Does  Section  1106  authorize  you  to  limit 
disclosures  or  otherwise  protect  beneficiary  information  once  it 
has  been  exchanged  with  States  and  private  contractors? 

Department  Response:  Section  1106  provides  that  no  disclosure  of 
any  information  obtained  from  the  Secretary  or  any  officer  or 
employee  of  the  Department  by  any  person  shall  be  made  except  as 
the  Secretary  prescribes  by  regulations.  For  decades  regulations 
issued  pursuant  to  this  statutory  authority — notably.  Regulation 
No.  1  under  the  Social  Security  Act — safeguarded  the 
confidentiality  of  data  thus  disclosed.  We  believe  that  the 
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disclosure  limitation  authority  under  Section  1106  was  severely 
curtailed  by  the  March  1977  amendment  of  the  Freedom  of 
Information  Act.  See  the  recent  revision  of  Regulation  No.  1, 
published  at  45  Fed.  Reg.  74906  -  74908  (November  13,  1980). 

GAO  Question  6:  What  specific  provisions  of  the  Privacy  Act 
authorize  you  to  improve  security  requirements  on  routine 
disclosures  and  redisclosures? 

Department  Response :  The  Privacy  Act  (5  (J.S.C.  522(e)  (10)) 
requires  all  federal  agencies  to  establish  appropriate  safeguards. 
However,  our  understanding  is  that,  with  one  exception,  these 
provisions  cannot  be  imposed  on  entitles  which  are  not  Federal 
agencies.  Under  5  U.S.C.  552a (m)  HHS  must  impose  Privacy  Act 
requirements  on  certain  State  agencies  and  contractors.  For 
example,  the  agreement  with  Medicare  contractors  (carriers) , 
contracts  for  research  and  statistical  work,  and  agreements  with 
States  covering  the  Disability  Determination  Service  (DDS) 
function  impose  Privacy  Act  requirements  on  State  agencies  and 
contractors. 

GAO  Question  7:  what  is  your  authority  to  use  agreements  in  order 
to  protect  Information  disclosed  to  States  and  private 
contractors? 

Department  Response:  Various  provisions  of  the  Social  Security 
Act  permit  or  require  the  Secretary  to  enter  into  agreements  with 
States  or  contractors  for  purposes  of  exchanging  data,  either  in 
connection  with  State  or  contractor  roles  in  the  administration  of 
Department  programs  or  for  research/statistical  purposes.  Some 
provisions  are  general  and  give  the  Secretary  authority  to 
establish  procedures  for  carrying  out  administration  of  the 
Act— e.g.,  IS  205(a),  454(13),  702,  703,  1631(d)(1),  and  1871. 
Other  provisions  relate  specifically  to  agreements  and/or 
disclosure  safeguards— e.g. ,  II  221,  402(a)(9),  411(b),  453,  1106, 
1616,  1631(g),  1633,  1634,  1902(a)(7). 

GAO  Question  8;  Do  these  agreements  extend  to  information  that  is 
merged  with  other  data  in  data  bases  generated  by  States  and 
contractors? 

Department  Response:  None  of  the  agreements  exempt  DHHS-provided 
data  that  has  been  merged  with  other  State  or  contractor  data  from 
continuing  under  the  controls  and  safeguards  agreed  to.  For 
example,  safeguards  required  by  agreements  under  Section  411(b) 
with  State  Welfare  agencies  extend  to  wherever  the  SSA-provided 
wage  data  is  located  within  the  State  agency.  Regulations 
restricting  the  use  and  disclosure  of  information  in  AFDC  and 
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Child  Support  Enforcement  case  files  apply  to  all  information  in 
those  files,  without  regard  to  its  source.  See  45  C.F.R.  205.50 
and  302.18.  Under  the  Child  Support  Enforcement  program, 
regulations  require  the  States  to  establish  and  use  written 
procedures,  which  OCSE  approves  and  audits,  that  assure  the 
safeguarding  of  information  concerning  applicants  or  recipients  of 
Child  Support  Enforcement  Services. 

GAO  Question  9:  To  what  extent  can  you  enforce  those  agreements? 
For  example,  would  you  have  authority  to  refuse  to  finance  public 
assistance  programs  being  administered  by  the  States  if  they  are 
not  complying  with  security  requirements  set  forth  in  the 
agreement? 

Department  Response:  Enforcement  options  include  withholding  of 
data  ol  the  kind  that  had  been  subject  to  abuse,  non-renewal  or 
termination  of  contracts  with  contractors,  termination  of 
agreements  with  States,  and  even — in  the  case  of  a  State  found  to 
be  out  of  compliance  with  the  data  safeguarding  provisions 
required  in  its  State  Plans — a  funding  penalty  provision. 

From  a  practical  standpoint,  none  of  these  actions  would  be 
desirable  in  most  circumstances  from  the  points  of  view  of 
client/beneficiary  service,  Federal/State  relationships,  or  costs 
of  program  administration.  We  monitor,  we  conduct  reviews  and 
audits,  we  negotiate  and  persuade  under  ordinary  conditions  when 
an  out  of  compliance  situation  exists.  We  might  add  that  the 
various  automated  data  exchanges  benefit  the  programs  to  which 
they  relate — they  benefit  SSA  and  HCFA  by  reducing  paperwork  and 
streamlining  processing;  they  benefit  the  publics  served  by 
reducing  redundant  requests  to  individuals  for  Information  they 
have  already  supplied  elsewhere. 

Finally,  it  should  be  noted  that  we  have  no  record  of  any 
significant  past  abuse  or  misuse  of  data  by  a  third  party 
recipient  of  SSA  or  HCFA  data. 

GAO  Question  18:  Are  routine  redisclosures  presently  addressed  in 
the  agreements  between  SSA  and  State  governments? 

Department  Response:  Those  agreements  and  State  plan  requirements 
which  address  redlsclosure  place  restrictions  upon  it.  Depending 
upon  the  particular  agreement  or  State  involved,  redisclosures 
which  could  be  classed  as  routine  might  include  redisclosures  to 
the  client/beneficiary  in  appropriate  circumstances  or  to  his  or 
her  representative,  redisclosures  to  other  public  programs 
identified  in  HHS  regulations,  redisclosures  covered  by  the 
so-called  Jenner  Amendment  described  below  and  redisclosures  to 
medical  and  vocational  consultants  by  State  DDS  agencies. 
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GAO  Question  11:  If  so,  to  what  extent  are  third  party  recipients 
of  such  routine  redisclosures  of  personal  information  required  to 
safeguard  privacy  and  integrity  of  data  against  potential  abuse  or 
misuse? 

Department  Response:  Only  the  agreements  for  the  performance  of 
the  DDS  function  and  some  contracts  for  research  and  statistical 
work  place  safeguard  requirements  on  third  party  recipients  of 
redisclosure — e.g.,  consultative  physicians,  vocational  experts 
and  subcontractors. 

GAO  Question  12:  As  a  practical  matter,  would  you  modify  the 
provisions  of  your  basic  agreements  on  confidentiality  matters  for 
those  States  whose  laws  conflict  with  Federal  confidentiality 
standards? 

Department  Response?  To  the  extent  that  this  is  a  hypothetical 
question,  we  would  make  every  effort  to  work  out  the  problem  and 
correct  any  misunderstanding.  However,  since  our  confidentiality 
standards  are  based  on  Federal  statute,  the  Federal  statute  would 
be  the  ultimate  controlling  factor  where  It  is  in  point.  We  could 
not  compromise  in  violation  of  Federal  law.  You  should  also  bear 
in  mind  that  adversary  relationships  between  Federal  and  State 
instrumentalities  would  not  ordinarily  be  conducive  to  the 
effective  management  and  operation  of  Federal/State  programs. 

We  do  not  view  State  legislation  pursuant  to  Section  618  of  the 
Revenue  Act  of  1951,  known  as  the  Jenner  Amendment,  as  in  conflict 
with  Federal  confidentiality  standards.  As  you  know,  this 
provision  prohibits  HHS  from  withholding  grant-in-aid  funds, 
otherwise  payable  to  the  States,  solely  because  they  enact 
legislation  permitting  public  access  to  the  names  and  addresses  of 
public  assistance  recipients  and  the  amount  of  the  assistance 
payments.  However,  such  legislation  must  prohibit  the  use  of  any 
lists  or  names  for  commercial  or  political  purposes.  States 
electing  to  have  a  Jenner  provision  also  have  in  their  legislation 
penalties  for  misuse  of  this  information.  The  States  also  decide 
the  conditions  of  access  to  this  information.  Statutes  which 
comply  with  the  Jenner  Amendment  would  not  likely  cover  disclosure 
of  the  type  of  information  which  HHS  furnishes  to  the  States  under 
the  arrangements  noted  in  the  above  responses. 

GAO  Question  13:  If  no  modifications  are  made  to  the  basic 
agreements  on  confidentiality  matters,  would  SSA  decline  to  share 
information  with  States  which  have  statutes  requiring  publication 
of  beneficiary  data? 

Department  Response:  At  present,  31  States  have  statutes  under 
the  Jenner  Amendment.  Since  these  States  are  believed  to  be  in 
compliance  with  Federal  requirements  under  its  provisions  there 
would  not  be  any  reason  for  DHRS  to  decline  to  share  information 
with  them.  With  respect  to  Questions  12  and  13,  should 
Implementation  of  States'  statutes  appear  to  conflict  with  Federal 
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confidentiality  requirements  and  the  Jenner  Amendment,  these 
States  would  be  considered  out  of  compliance  with  Federal  law. 

Negotiations  between  Regional  staff  and  States  would  be  pursued  in 
an  attempt  to  resolve  the  compliance  issue. 

GAO  Question  14:  In  your  view,  does  the  source  of  personal 
beneficiary  information  have  any  relationship  to  the  extent  that 
such  information  should  be  safeguarded  from  potential  abuse  or 
misuse? 

Department  Response:  Clearly,  the  source  of  personal  beneficiary 
Tnformat ion~does  determine  the  applicability  of  Tax  Reform  Act 
safeguards — see  discussion  of  the  first  question.  What  should  be 
the  relationship  of  source  to  safeguarding — while  a  matter  for 
conjecture — probably  depends  upon  (1)  the  linkage  between  the 
source  and  the  probable  sensitivity  of  the  data  and/or  (2)  the 
original  provider's  reasonable  expectations  as  to  confidential 
treatment  of  the  original  information  provided  the  collecting 
source  While  source,  thus,  provides  a  clue  as  to  the  extent 
information  should  be  safeguarded,  the  type  or  nature — i.e., 
sensitivity — bears  a  more  direct  relationship.  For  example,  SSA 
considers  medical  evidence  to  be  very  sensitive  and  provides 
elaborate  safeguards  against  its  unwarranted  release,  not  because 
the  source  may  be  a  medical  practitioner,  but  because  disclosure  | 

of  information  in  the  medical  record  can  be  embarrassing  or  even 
harmful  to  the  individual. 

GAO  Question  15;  Does  ownership  of  a  file — i.e..  Federal  agencies 
such  as  IRS,  HHS,  Veterans  Administration;  State  governments; 
private  organizations;  etc. — containing  the  same  basic  elements  of 
personal  information  justify  differing  security  standards  for 
safeguarding  personal  data  from  potential  abuse  or  misuse. 

Department  Response:  The  question  seems  unclear.  If  the  files 
cited  are  separately  maintained,  or  the  "ownership"  of  specific 
items  of  information  identified,  different  statutes,  regulations, 
agreements,  undertakings,  etc.,  may  apply  to  the  use  of  the  data 
from  one  "file"  than  apply  to  the  use  of  data  from  the  other.  See 
discussion  of  Question  14. 

GAO  Question  16:  Do  you  believe  there  is  a  need  for  legislation 
that  would  provide  a  stronger  basis  to  safeguard  confidential 
personal  beneficiary  information  being  disclosed  to  States  and 
private  contractors? 

(Note:  We  recognize  that  Section  411  of  the  Social  Security  Act 
does  already  provide  specific  bases  for  confidentiality  provisions 
on  data  exchanges  specifically  for  the  AFDC  program). 

Department  Response:  We  anticipate  additional  and  modified 
legislation  in  this  area  of  strong  public  and  policy  interest  to 
continue  to  be  developed,  debated  and  enacted  as  the  "information 
revolution"  and  the  use  of  computers  continue  to  evolve.  Perhaps 
the  need  at  present  is  for  greater  uniformity  of  safeguarding 
requirements  and  reduction  of  the  complexity  in  administering  the 

various  applicable  statutes.  i 
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EXAMPLES  OF  SYSTEMS  USED  BY  SSA  TO  EXCHANGE 
PERSONAL  INFORMATION  WITH  STATES 


Many  public  assistance  programs  Financed  by  the  Federal  Gov¬ 
ernment  are  administered  by  State  governments.  To  assist  States 
in  administering  these  programs  and  to  help  validate  beneficiaries' 
eligibility,  several  systems  for  exchanging  personal  beneficiary 
information  with  State  governments  are  used.  Examples  of  these 
systems  include: 

— Beneficiary  and  Earnings  Data  Exchange  (BENDEX)  system. 

— State  Data  Exchange  (SDX)  system. 

— Federal  Parent  Locator  Service. 

— Financial  Accounting  Exchange  System. 

— State  Buy-In  System. 

— Interim  Assistance  Reimbursement  Process. 

— Carrier  Alphabetic  State  List  System. 

— Beneficiary  State  Tape  System. 

The  BENDEX  system 

The  BENDEX  system  is  a  system  which  provides  personal  benefi¬ 
ciary  information  from  the  SSA  Master  Beneficiary  Records  to  in¬ 
form  State  governments  on  basic  social  security  entitlements  for 
recipients  under  Federal  grant-in-aid  programs. 

The  SDX  system 

The  SDX  system  is  an  automated  process  which  provides  detailed 
records  to  States  needing  personal  data  on  beneficiaries  receiving 
SSI  payments.  The  beneficiary  information  for  this  system  is  ob¬ 
tained  from  SSA's  automated  Supplemental  Security  Record. 

The  SDX  system  was  designed  to  provide  personal  data  to  State 
governments  for  administering  Medicaid,  State  supplementations  of 
Federal  SSI  benefits,  and  for  interim  assistance  reimbursements. 

The  system  is  national  in  scope  and  is  not  modified  by  SSA  to 
satisfy  the  unique  needs  of  one  State  government  to  the  detriment 
of  those  of  other  States.  All  States  and  the  District  of  Columbia 
received  their  initial  SDX  magnetic  tape  files  during  December 
1973.  They  all  have  since  received  monthly  and  weekly  transmis¬ 
sions  to  update  their  respective  files. 
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Federal  Parent  Locator  Service 


This  service  is  an  information-sharing  system  authorized  by 
Public  Law  93-647  to  assist  State  welfare  agencies  in  obtaining 
information  on  the  whereabouts  of  absent  parents  for  enforcing 
parental  support  obligations  within  the  AFDC  program. 

HHS  has  developed  an  automated  system  for  this  service  which 
provides  State  officials  with  information  on  the  last  reported 
residence  or  employer's  address  on  absent  parents.  The  most 
common  sources  of  information  for  this  system  include  files  and 
records  maintained  by  SSA,  the  Internal  Revenue  Service,  and  the 
Department  of  Defense. 

Financial  Accounting  Exchange  System 

This  system  is  an  automated  system  developed  by  SSA  to  provide 
case-by-case  accounting  data  to  State  governments  which  have  agreed 
to  Federal  administration  of  SSI  payments  for  State  supplementa¬ 
tions  to  the  Federal  SSI  program.  The  payment  (payroll)  data  in 
this  system  are  obtained  from  automated  SSI  master  records. 

The  system  accounts  for  and  supports  all  Federal  payment  and 
collection  activities  within  the  State  SSI  supplementation  program. 
It  provides  State  governments  with  a  list  of  recipients  for  whom  a 
payment/collection  transaction  was  processed  by  SSA  during  the  re¬ 
porting  month  and  allows  the  States  an  opportunity  for  assuring 
that  their  funds  are  disbursed  properly. 

State  Buy-In  System 

The  State  Buy-In  System  is  an  automated  system  maintained  by 
SSA  to  identify  all  people  who  are  in  a  State  buy-in  status — i.e., 
the  State  government  pays  Medicare  health  insurance  premiums  for 
needy  beneficiaries  enrolled  in  its  Medicaid  program. 

Initial  data  inputs  for  this  system  came  from  State  govern¬ 
ments  (1)  in  1966  when  the  buy-in  system  was  established  and 
(2)  in  1974  when  the  Federal  SSI  program  was  implemented.  Monthly 
updates  to  the  buy-in  system  are  accomplished  through  automated 
exchanges  of  data  between  the  States  and  SSA.  Current  sources 
of  information  in  this  system  includes  (1)  eligibility  determi¬ 
nations  made  by  State  welfare  agencies  administering  Medicaid 
programs,  (2)  the  SSA  Master  Beneficiary  Record,  (3)  the  SSA 
Supplemental  Security  Record,  and  (4)  the  Health  Insurance  Master 
File  maintained  on  SSA’s  computers  for  HCFA. 

Files  in  the  Buy-In  System  are  updated  monthly  and  are  for¬ 
warded  to  the  States  for  their  use  between  the  5th  and  10th  day 
of  the  following  month. 
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Interim  Assistance  Reimbursement  Process 


This  is  a  data  exchange  process  whereby  SSA  notifies  State 
governments  of  pending  beneficiary  applications  for  SSI  payments. 

The  States,  in  turn,  make  interim  assistance  payments  to  benefici¬ 
aries  to  cover  their  basic  needs  between  the  time  that  their  appli¬ 
cation  for  benefits  is  filed  with  and  approved  by  SSA. 

Carrier  Alphabetic  State  List  System 

This  system  is  an  automated  process  which  generates  alphabetic 
lists  of  people  receiving  benefits  from  the  Federal  health  insurance 
(Medicare)  program  on  a  State-by-State  basis.  These  lists  are  made 
on  microfilm  and/or  microfiche,  and  distributed  to  Medicare  con¬ 
tractors  responsible  for  claims-processing  activities  within  each 
State  for  HCFA.  These  lists  are  also  distributed  to  State  govern¬ 
ments  for  use  in  administering  their  respective  Medicaid  programs. 

Beneficiary  State  Tape  System 

This  system  is  an  automated  system  which  develops  lists  of 
Federal  health  insurance  (Medicare)  beneficiaries  residing  in 
specific  States  and  U.S.  territories. 
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TYPES  OF  PERSONAL  INFORMATION  BEING  EXCHANGED  WITH  STATES 


As  discussed  in  appendix  II,  several  systems  are  used  for  ex¬ 
changing  personal  beneficiary  information  with  States  for  use  in 
administering  federally  financed  programs.  The  list  below  iden¬ 
tifies  types  (elements)  of  personal  information  being  disclosed 
from  SSA/HCFA  files  to  States  by  those  systems. 

DESCRIPTION  OF  PERSONAL  INFORMATION 
BEING  DISCLOSED  TO  STATES 


Name 

Address 

Telephone  number 

Social  security  number 
-Beneficiary 
-Spouse 

-Essential  person  (includes  dependents) 
-Identification  of  multiple  social  security  numbers 
-Beneficiary  identification  number 
-Claim  account  number  for  Title  II  benefits 
-Health  insurance  claim  number  for  beneficiary 
-State  welfare  identification  number 
-Beneficiary 
-Spouse 

-Essential  person 


Sex 

Race 

National  origin 

Date  of  birth 

Date  of  residency 

Student  identification 

Marital  status 

Head  of  household  status 
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Date  of  application  for  benefits 
Date  of  death 

Most  current  transaction  processed 
-Type 
-Date 

Identification  of  local  SSA  district  office 

Payment  of  benefits  by  direct  deposit 
-Indicator 
-Bank  address 

Representative  payee 
-Name 
-Address 
-Effective  date 
-Custody  of  beneficiary 
-Competency  of  beneficiary 
-Type  of  payee 

Categories  of  assistance 

-Supplemental  Security  Income  (SSI) 

-Aged 

-Blind 

-Disabled 

-Aid  to  Families  with  Dependent  Children  (AFDC) 
-Medicare  program 
-Part  A 
-Part  B 

-State  Buy-In  Program 
-Medicaid  program 
-Drug/alcohol  addiction 

Identification  of  beneficiary's  personal  resources 
-House 
-Automobile 
-Life  insurance 
-Income-producing  property 
-Other 
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1 


Beneficiary's  income 
-Period  covered 

-Employer's  identification  number 
-Employer ' s  name  and  address 
-Countable  earned  income 
-Amount  of  wages 
-Self-employment 

-Work  expenses  (for  the  blind  only) 

-Income  exclusions 
-Countable  unearned  income 
-Type 

-Start  date 
-Stop  date 
-Amount 

-Frequency  of  amounts 
-Realized 

-Validation  of  amounts 
-Countable  income 
-Income  overflow 

Type  of  living  arrangments 

Data  of  program  denial 

Beneficiary  appeals 
-Status 
-Results 

-Awarded 

-Denied 

SSI  program 

-Claim  status 
-Pending 
-Awarded 
-Denied 

-Indicator  showing  that  benefits  are  being  paid 
-Date  of  eligibility 
-Amount  of  eligibility 
-Office  originating  claim 
-Amount  of  monthly  benefits 
-Federal 
-State 

-Conditional  benefit  payments 
-Advanced  benefit  payments 
-Special  needs  identified 
-Date  of  termination 

State  supplementation  for  the  SSI  program 
-Effective  date 
-Eligibility  amount 
-Amount  of  payment 
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AFDC  program 

-Date  of  entitlement 
-Amount  of  monthly  payment 

Medicare  program 

-Option  code  for  participation 
-Date  of  entitlement 
-Amount  of  premiums  collectable 
-Premium  payer 

Medicaid  program 

-Date  of  eligibility 
-Effective  date  for  coverage 
-Identification  of  third  party 
-Extent  of  retroactive  coverage 

State  Buy-In  Program 

-Eligibility  of  beneficiary 
-Coverage 

Status  for  benefits  from  the  Railroad  Retirement  Board 

Status  for  benefits  from  the  Federal  Black  Lung  Program 

Disability  benefits  received 
-Date  of  onset 
-Benefit  payment  code 

Forced  benefit  payment  status 

-Amount  of  Federal  benefits  paid 
-Amount  of  State  benefits  paid 
-Number  of  checks  issued 

Histories  of  benefit  payments 
-Number  of  checks  issued 
-Number  of  quarterly  payments  made 
-Detail  on  payments  made  during  9  quarters 

Status  of  collection  of  overpayments  of  benefits 
-Federal  payments 
-State  payments 

Status  of  returned  benefit  checks  and  direct  deposit 

Refunds  on  overpayments  to  beneficiaries 

-Number  of  checks  issued  and  amount  of  payment  made  to 
Government 
-Current  year 
-Prior  years 
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Status  of  advanced  payments  for  emergencies 
-Amounts  paid  by  Federal  Government 
-Amounts  paid  by  State  governments 
-Advances  recovered 
-Federal  money 
-State  money 

Status  of  one-time  manual  payments  to  beneficiaries 
-Number  of  payments  made 

-Sources  and  amounts  of  money  used  for  each  payment 
-Federal  money 
-State  money 

Status  of  cash  refunds  by  beneficiaries 
-Federal  payments 
-Current  year 
-Prior  years 
-State  payments 
-Current  year 
-Prior  years 
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